Identity has become the new security perimeter in the modern threat landscape. This may not come as a surprise to those who follow the trends showing that an overwhelming majority of security breaches result from identity-based attacks. Proofpoint has found that over 90% of breaches involve an identity component in the attack chain
Cybersecurity practitioners have understood for a long time that human behaviour is a core security vulnerability. The most recent Verizon Data Breach Investigations Report shows that 74% of confirmed breaches involve the human element, and this data has been consistent for years.
Threat actors are extending proven tactics such as phishing and credential theft and targeting the supply chain. Compromising the supply chain can potentially yield a very high return on investment. So malicious actors are throwing their weight behind their most successful tactics—attacking identity—to maximize those returns.
Proofpoint’s 2023 State of the Phish report shows that 86% of phishing attacks experienced by organizations in the UAE in 2022 were successful. 26% of these successful attacks resulted in credential theft or account compromise, providing attackers access to organizations’ accounts, or identities. Once threat actors have successfully compromised even a single identity, they can move laterally throughout the organization with ease.
According to research from the independent nonprofit Identity Defined Security Alliance, 90% of surveyed organizations have experienced an identity-related breach in the past 12 months. It’s imperative for organizations to adapt to this new reality and evolve their defences.
The three biggest types of identity risks
Many organisations have invested substantially in fortifying their identity infrastructure. But they are missing the most vulnerable components, such as stored and cached credentials, session cookies, access keys, shadow privileged accounts, and various misconfigurations associated with accounts and identities.
Understanding how cybercriminals are attacking identity within your organization is the first step to protecting the new attack surface and breaking the attack chain.
First, you need to know which human entry points are the most vulnerable and the most targeted in your organization. You can’t mitigate every risk, which means you’ll need to prioritize.
Threat actors typically target three identity areas:
●Unmanaged identities: These include identities used by applications—service accounts—and local admins. Threat Research from Proofpoint found that 87% of local admins are not enrolled in a privileged account management solution. Yet these types of identities are often undiscovered during deployment or are forgotten after serving their purpose. Many of these accounts use default or outdated passwords, further increasing the risk.
●Misconfigured identities: “Shadow” admins, identities configured with weak or no encryption, and accounts with weak credentials are examples of misconfigured identities. The Human Factor 2023 report from Proofpoint shows that as many as 40% of misconfigured, or shadow admin identities can be exploited in just one step—for example, by resetting a domain password to escalate privileges. The report also found that 13% of shadow admins already have domain admin privileges, enabling malicious actors to harvest credentials and infiltrate the organization.
●Exposed identities: This category includes cached credentials stored on various systems, cloud access tokens stored on endpoints, and open remote access sessions. One in six endpoints contain exposed privileged account passwords, such as cached credentials. This practice is just as risky as allowing employees to leave sticky notes with usernames and passwords on their devices, yet it’s commonly overlooked.
Whatever type of identity malicious actors compromise, it only takes one vulnerable account to provide unfettered access to your organization. And the longer they go undetected, the more devastating are the potential consequences.
Managing risks with identity threat detection and response
Combating any type of threat necessitates several core activities: detecting and identifying threats in real-time, prioritizing them, and promptly remedying the situation by automating responses as much as possible. This is where the best practices of threat detection and response come into play.
However, organisations typically only implement threat detection and response for their technology. And this is not enough in today’s people-centric threat environment.
As the human perimeter has become the most vulnerable component, identity threat detection and response (ITDR) has emerged as a critical part of identifying and mitigating gaps in identity-driven exposure.
ITDR requires a combination of comprehensive security processes, tools, and best practices. Treat identities the same way you treat any other asset type, including your network and endpoints.
Start with proactive, preventative controls so you can discover and mitigate identity vulnerabilities before cybercriminals can exploit them. Continuous discovery and automated remediation are your best way of keeping malicious actors out.
Next, you need the ability to swiftly neutralize threats should they slip through defenses. As no controls are foolproof, consider the full attack chain. Stopping privilege escalation quickly is paramount because threat actors will attempt that step as soon as they’ve achieved initial access. If they can’t get anywhere, they’ll have to give up and move on.
Advanced tools that offer capabilities such as machine learning or analytics to detect unusual or suspicious events and behaviors, along with automated response, increase your degree of success.
Similar to tools such as endpoint detection and response and extended detection and response, robust ITDR solutions provide an in-depth approach to mitigating exposure. Cybercriminals are simply moving too fast for security teams to keep up with identity threats without the right tools for the job.
Finally, effective ITDR relies on best practices such as ensuring good cyber hygiene. After all, people are your biggest security hole. People-centric defences don’t work if you don’t empower employees to break the attack chain by changing their behaviours and habits. And improving hygiene is a simple activity that doesn’t require a lot of resources.